Over the weekend the ASP.NET team released a Microsoft Security Advisory about a security vulnerability found in ASP.NET:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

The WCF Data Services team looked into the issue and don’t believe there is any additional exposure to the vulnerability beyond what is exposed by ASP.NET. However, if the WCF Data Service is hosted in ASP.NET, it is quite possible that the vulnerability is present. If any users use the ASP.Net encryption logic to hide sensitive information from the client and use that encrypted data to make decisions in the WCF Data Service, they can run into this issue. Below are few examples:

  • If you use an encrypted cookie to make decisions to which database to connect in CreateDataSource method
  • If you use an encrypted cookie to figure out whether the user is an admin rather than using RoleManager in the server
  • If you use an encrypted cookie to apply business logic in change/query interceptors

For a complete description of the vulnerability, please read Scottgu’s post on the subject:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

 

Andrew Conrad

Development Lead

WCF Data Services